The European Union (EU), in its continuous endeavors to protect the personal data took a drastic major step and issued a very important regulation under the name of (GDPR), which came into force last May of 2018.
The General Data Protection Regulation – GDPR – applies to different types of data processing that is to be carried out by all organizations operating within the EU. Moreover, it also applies to all other organizations outside the EU that offer goods or services to individuals in the EU. Based on this, any organization operating inside the EU zone, in addition to all other organizations that are outside the EU zone but are offering goods or services to individuals in the EU zone. By this, we can easily notice that the organizations outside the EU zone are also covered by this new regulation and are obliged to follow suit according to the provisions of the GDPR.
The GDPR is mainly to apply for the protection of the personal date, however, there is an exemption as the GDPR does not apply to certain activities including the instances of data processing whenever they are covered by the law enforcement directives, the processing for national security purposes and other processing carried out by individuals purely for their personal or household activities. The regulation for more clarity, hereby, specifies the types of exemptions for their application as and whenever required..
To streamline the process, the GDPR applies to ‘controllers’ and ‘processors’. The controller is the authorized body to say how and why personal data is processed, whereas, the processor is the body or entity that acts on the controller’s behalf and control.
If you happened to be a processor, the GDPR places specific legal obligations on you to follow. For example, you are required to maintain records of personal data and the processing activities you have undertaken. As a processor, you will have significant more legal liability if you are responsible for any type of breach. These obligations for processors are a new requirement under GDPR and they confirm the firm strategy of the EU towards more stringent rules to regulate the personal data to curb the huge destructive misuse we are facing now everywhere.
However, if you are a controller, you are not relieved of your obligations where a processor is involved. The GDPR places further obligations on the controllers to ensure that the contracts with the related processors comply with the provisions of the GDPR.
As a general rule, the GDPR applies to ‘personal data’. However, we have noticed that the GDPR’s definition is more detailed and makes it clear that information such as an online identifier – e.g. an IP address can be personal data. The definition provides for a wide range of personal identifiers to constitute personal data, reflecting changes in technology and the way organizations collect information about persons. This comes as a result as, most organizations are keeping HR records, customer lists, or contact details etc.
The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria. This definition could include chronologically ordered sets of manual records containing personal data. Personal data that has been pseudonymised, e.g. key-coded, can fall within the scope of the GDPR depending on how difficult it is to attribute the pseudonym to a particular individual. I believe, the justification behind this is to cover both automated and manual filling systems, is to cover all types of data processing being automated or manual, otherwise there could be escape room through manual data processing.
(To be continued).